Home Data Breaches March 23, 2011, 4:54PM HBGary CEO Speaks Out On Anonymous Hack
* Share/Save Share
* 9 Comments
Twitter Facebook LinkedIn Readdit by Brian Donohue
Greg Hoglund, CEO of HBGary, admits that lackluster security at his company played a central role in the breach that led to the release of some 50,000 company emails, but also disputes common understanding and reported details of the hack and the group behind it, going so far as to say there was actually no hack at all.
andrea.sartori writes: According to The H, Lastpass, a central storage facility for passwords (lastpass.com), simply blocks the IP addresses of users who test the site's security measures in a move which may cause collateral damage, such as blocking entire networks if multiple persons use the same NAT firewall or a joint proxy to access the internet, and one of them does something "suspicious", like testing their website for XSS or SQL injection problems.
This could be exploited as a rather curious attack system, if somebody embed code in web pages which will call Lastpass URLs with strings that are typical for XSS code; simply viewing a seemingly harmless page could, without any further input by the user, make a browser load these strings and trigger an alarm at Lastpass.
Lastpass replies that risk is small because blocks are triggered manually rather than automatically, and that extensions and apps remain unaffected, which means that users continue to have access to their stored passwords.
andrea.sartori writes: The H reports the announcement of the development plan for GNU Free Call, an open source VoIP service based on the SIP protocol. According to the announcement it "aims to be as ubiquitous and usable as the proprietary Skype VOIP service". Will this be the end of central service providers?
andrea.sartori writes: ZDNet reports that "Hackers have compromised a private e-mail list used by Linux and BSD distributors to share information on embargoed security vulnerabilities and used a backdoor to sniff e-mail traffic, according to the moderator of the list. In a note to Vendor-Sec's members, moderator Marcus Meissner said he noticed the break-in on January 20 but warned that it might have existed for much longer.
Immediately after Meissner's warning e-mail, the attacker re-entered the compromised machine and destroyed the installation."
Meissner has since killed the list: So everyone please consider vendor-sec@....de is dead and gone at this point, successors (or not) will hopefully result out of this discussion.
The H Security notes (link to the H's article) that this isn't the first compromise of the Vendor-Sec list. In 2005, black hat hackers reportedly hijacked a kernel exploit for root access from the list.
andrea.sartori writes: Chris Adamson posted a very interesting article on pragprog.com, defining C a "punk rock language". The musical analogy is developed and used to compare different types of programming languages. Pickup line: 'One of the defining traits of punk is the do-it-yourself (DIY) ethic, a rejection of the need to buy products or use existing systems, and instead to attend to your own needs. This attitude clearly suits C programming as well.' And: 'Any idiot with a Slashdot handle can talk crap about anything. It’s when you piss off the smart developers that you know you’re working with something interesting.'
So from Apple's perspective, changing the iPhone Developer Program License Agreement to prohibit the use of things like Flash CS5 and MonoTouch to create iPhone apps makes complete sense. I'm not saying you have to like this. I'm not arguing that it's anything other than ruthless competitiveness. I'm not arguing (up to this point) that it benefits anyone other than Apple itself. I'm just arguing that it makes sense from Apple's perspective — and it was Apple's decision to make.
andrea.sartori writes: According to net-security.org, "Ransomware is the dominating threat with nine of the detections in the malware top ten list resulting in either scareware or ransomware infesting the victim's PC. Fortinet observed the primary drivers behind these threats to be two of the most notorious botnet "loaders" — Bredolab and Pushdo. Another important finding is the aggressive entrance of a new zero-day threat in FortiGuard's top ten attack list, MS.IE.Userdata.Behavior.Code.Execution, which accounted for 25 percent of the detected activity last month." Link to original source